Data privacy is generally understood as the relationship between the collection and dissemination of data, available technology, the public expectation of privacy, and the surrounding legal and political issues. Privacy concerns exist wherever personally identifiable information (PII) is collected and stored in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. The U.S. government used the term “personally identifiable” in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: “Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.”
Many countries have established laws to define capabilities and limitations on the collection of data and the form in which that data can be exported. They have also designated regulatory agencies to monitor compliance with these laws. At present, each sovereign state defines its own rules and oversight agency.
Companies engaged in the collection of data across international borders, therefore, should be cognizant of the laws pertaining to each jurisdiction where data is collected. Each jurisdiction may belong to a sovereign country, to a military or security authority, or to a regulatory authority monitoring compliance with a law such as the Health Insurance Portability Authority Act (HIPAA) in the United States. This becomes increasingly important when the data collected also includes information identifying the geographic location where the data was collected. The location information being linked with other collected data may provide the ability to correspond location-specific laws and/or rules of operations to each collected data element.
Companies that are in the business of collecting and disseminating information may operate under strict guidelines for how that information is to be controlled. These restrictions can be very granular, and can even be specific to the individual whose data is being collected. Also, where these companies have defined sales territories, commissions can often be calculated based on the specific geography in which the data capture occurs.